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The recent discovery of fully-homomorphic classical encryption schemes has had a dramatic effect 
on the direction of modern cryptography. Such schemes, however, implicitly rely on the assumptions 
that solving certain computation problems are intractable. Here we present a quantum encryption 
scheme which is homomorphic for arbitrary classical and quantum circuits which have at most some 
constant number of non-Clifford gates. Unlike classical schemes, the security of the scheme we 
present is information theoretic, satisfying entropic security definitions, and hence independent of 
the computational power of an adversary. 


I. INTRODUCTION 

Harnessing the power of quantum mechanics to build cryptosystems is a key motivation for developing quantum 
technologies. Quantum key distribution (QKD), pioneered by Bennett and Brassard [T] and Ekert [5], is an example 
of a quantum cryptographic primitive that offers functionality beyond that of classical cryptography. An advantage 
of quantum cryptography is that it often provides information-theoretic security guarantees that relies only the 
correctness of quantum mechanics, and so avoids the need for assumptions about the computational hardness of 
certain problems as in the case for many classical cryptographic protocols. There has been some amount of success in 
quantum approaches to cryptographic problems beyond key distribution, including secure randomness generation mm, 
coin-flipping I^, secret sharing HHin] and bit-commitment [IIHIl]- One area in particular that has seen signihcant 
progress in recent years is the development of quantum cryptographic protocols for delegated computation m, which 
includes blind quantum computation |16II21j , and verifiable quantum computation |22H25j . Homomorphic encryption 
has been recognised as an important primitive for building secure delegated computation protocols for many decades 
pS] . It provides a processing functionality for encrypted quantum data which stays secret during the evaluation, and 
a scheme is fully-homomorphic if it allows for arbitrary quantum computation. Despite widespread interest in this 
problem, it was not until 2009 that the first computationally secure classical scheme for fully homomorphic encryption 
(FHE) was discovered [27j . with many improvements following rapidly from this initial discovery |281l29j . This problem 
has recently drawn attention within the quantum information community |30H35j . with natural questions arising as 
to whether quantum cryptosystems might offer unconditionally secure homomorphic encryption schemes and whether 
the privacy homomorphisms could be extended to allow for evaluation of quantum circuits. 

Quantum homomorphic encryption (QHE) schemes comprise of four parts: key generation, encryption, evaluation, 
and decryption. Unlike blind quantum computation, in which the computation to be performed forms part of the 
secret, QHE schemes do not have secret circuit evaluations. They serve to obscure only the information that is 
contained within the state to be processed using the chosen circuit. The extent to which a scheme is secure depends 
on its specifics, and in previous work has varied depending on the precise nature of the computation which can be 
performed on the encrypted input. QHE schemes described in Refs. [341135j offer some information theoretic security, 
but this is only in the form of a gap between the information accessible with and without the secret key, a notion of 
security which does not imply the stronger notion of security under composition. These schemes are also limited in 
the set of operations that can be performed on the encrypted data. The scheme in [34] only allows computations in 
the BosonSampling model, while that in |35j does not offer any known encoding for universal quantum computing. 
A hybrid scheme offered by |36j serves to remove the need for any interactions but requires bootstrapping onto a 
classical fully homomorphic encryption scheme and as such is only computationally secure. Several other schemes 
for computing on encrypted data have previously been introduced which offer universal quantum computation, but 
require interactions between the client and evaluator |30H33j . This requirement for interaction places them outside 
of the formalism of homomorphic encryption, although confusingly several of these schemes use that terminology 
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[sniisi]- 

The difficulty in creating a perfectly secure quantum fully homomorphic encryption (QFHE) scheme persists, and 
is in line with the no-go result provided by m that perfect information-theoretic security whilst enabling arbitrary 
processing of encrypted data is impossible, unless the size of the encoding grows exponentially. Nonetheless, given the 
growing interest in QHE schemes and the multitude of possibilities, Broadbent and Jeffrey set out to provide a rigorous 
framework for defining QHE schemes [36] , basing their security definitions on the requirement for indistinguishability 
of codewords under chosen plaintext attack. 


II. SUMMARY OF RESULTS 


Our main result is a family of quantum homomorphic encryption schemes, presented in Cryptosystem which 
supports the evaluation of quantum circuits containing at most some constant number of non-Clifford group gates. 
This scheme is proven to be secure in an entropic model which is strictly stronger than the security conditions laid down 
in [36) . The QHE scheme we present is a symmetric-key homomorphic encryption protocol that supports evaluation 
of constant T-depth quantum circuits while providing strong information theoretic security guarantees. It builds on 
constructions taken from quantum error correction codes to provide gates for universal quantum computation. The 
block of qubits that contains the code is embedded in a much larger set of qubits that are initialized in a maximally 
mixed state. The qubits are then shuffled in a specific but random way to hide the qubits that contain that code. 
Our protocol guarantees that the trace distance between ciphertexts corresponding to any two quantum inputs is 
exponentially suppressed. This is a significantly stronger security guarantee than previous homomorphic encryption 
schemes presented in [33]. Moreover the computation power of our scheme is equivalent to that of Broadbent and 
Jeffrey’s while not needing to bootstrap on the classical homomorphic encryption scheme. This use of classical fully 
homomorphic encryption is the weakest link in the Broadbent-Jeffery cryptosystem, since it introduces a reliance on 
computational assumptions [44] . 

Eormally, the QHE scheme we present in Cryptosystem satisfies the following theorem. 

Theorem 1. Let b,r,n,m be positive integers where n = An' -\- 1 for some positive integer n', and let t be a non¬ 
negative integer. Let 7 denote the fixed tuple of integers {b,r,t,n,m). Let k be the symmetric key of our scheme, 
chosen uniformly at random from the symmetric group of order n -\- m. Then Q-f is a QHE scheme satisfying the 
following properties: 

• Completeness — Let Pinput be any r-qubit state, and let pt = (Ti/|0)(0|iJ^Tl)®*), where T is the ^-gate and 
H is the Hadamard gate. Let {Vi,... ,Vd) be any sequence of unitaries on r qubits comprising of single qubit 
Clifford gates, two-qubit CNOTs, and exactly t single qubit T gates. Then for every k G Sn-i-m, 

(Poutput) /") — Dec^ Evat-^ Vi,..., VJ), Etic^I^k, (pinput C) Pt) (1) 

yields the correct output Poutput = Vd - ■ ■ kiPinputVi^ ■ ■ - ^d except with probability at most 6 in which case a 
heralded failure / = 0 results, where 

\ exp(-62-2*+i -H y62-*+2 - 2) ,t>l. ^ ’ 


• Security — Without knowledge of the symmetric key, the trace distance 5 between any two encrypted inputs is 
exponentially small. Namely, for all b{r -\- f)-qubit density matrices t and t' , we have 


7— Yl Enc-^{K,T)-- —V Enc-^{K,T') 
(nJ-TOl! (nJ-TOl! 

'■ ' kGS„+™ ^ ’ KeS„+rr, 


< e 


8 n 


7r(l 


ry) exp (-f ln(l + ^) - ^ ln(l + a)) , 


(3) 


where a = ™ . In particular when a = ™ approaches a positive constant for large n, e is exponentially surpressed 
in n. 


• Compactness — The maximum circuit size needed to implement the encryption and the decryption is at most 
polynomial in the parameters of 7 , and independent of the circuit to be implemented, provided that it is makes 
use of at most t single qubit T-gates. 
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III. PRELIMINARIES 


Let Z_|_ denote the set of positive integers. For all n, ni, n 2 S Z_|_ such that ni < n 2 we define [n] = {1,..., n}, and 
[ni : 712 ] = {ni,..., n^}. Given any two sets X and y, define X — y = {x € X ■. x ^ 3^}. 

For qubits arranged on a grid with p rows and q columns, let 'H(^x,y) denote the Hilbert space of the qubit located at 
position (x, y), where (x, y) denotes the a:-th row and the y-th column, where x S [p] and y G [g]. For all £ C [p] x [g], 
define We denote the Hilbert space of the grid of the pq qubits as . 

Given a Hilbert space T-L, we let L{'H) denote the set of linear operators mapping H to H. We let D{'H) denote the 
set of density matrices in that is the set of positive semidefinite operators in L{'H) with unit trace. For any 

Hilbert space admitting a tensor product structure /Ci ® /C 2 , we define the corresponding partial trace by TrA;^ as the 
unique linear operator such that for all Ki G L(/Ci) and K 2 G L(/C 2 ) we have Tr^j {Ki 0 K 2 ) = K 2 Tr(Ai), and Tr is 
the usual trace operator. Also define the partial trace on the complementary space to be such that for all Ki G L(fCi) 
and K 2 G £(^ 2 ) we have Tr;ci(£^i G) AI 2 ) = Tr(A' 2 ). 

Let I = (Jo = |0)(0| + |l)(l|,3f = <ji = |0)(1| + |1)(0|,Z = (73 = |0)(0| — |1)(1| and Y = a 2 = i(Ji<J 3 denote the usual 
Pauli matrices in £(C^), where {|0), |1)} is an orthonormal basis of C^. Let H — + Z), S = |0)(0| + *|1)(1| and 

T = |0)(0| + e“'^"^|0)(0|. We denote the set of single-qubit Clifford gates as Q = {I,X,Y,Z,H,S}. Define the magic 
state |T) = riL|0). 

For all G G £(C^), denote [G](a;_y) G L{'H(^x,y)) as the linear operator G operating on the qubit at {x,y). Now let £ 
be any subset of [p] x [g]. Dehne y)eci^'\G,v)- in define the operator that implements G on 

the qubit at (x, y) and acts trivially on all other qubits labeled by £ to be 

[G]fx,y) = [G]^..y)<Z[lf-^<~^’y^^. 


We denote C(x,y),{x',y') G L{'H(^x,y) ®'Hi^x',y')) as a CNOT performed between the control qubit (x,y) and target qubit 
{x',y'). For all distinct {x,y) and {x',y') in £, define 


/~iC 

G,y),G',v') 


— G(^x,y),(x' ,y') [Z] 


C-{{x,y),ix' ,y')} 


We also denote ^ ^[p]xM 

xAy,y) (x,y),(x,y') ’ {x,x'),y (x,y),{x',y) (x ,y) ,(x',y') (x ,y) ,(x',y') 

For arbitrary positive integers p and g. Let Xip^q denote the set of matrices with entries chosen from the set {0,1, 2,3} 
and with p rows and g columns. Let G denote a row vector with each of its first j components equal 

to 1 and the remaining components equal to zero. For every A G -Mp^q let A(x,y) denote the entry in the a;-th row 
and the y-th column of the matrix A. For all A G Xip,q, define 


9 / p 

O'A — ( ^^[cJA(x,y)]{x,y) 

y=l \a;=l 


(4) 


Let Sq denote the symmetric group of order q. Let ipp^q be a representation of Sq such that for every permutation 
7T G Sq and every A G M-p,q^ 


q / p 

^p,q{'^')^ Ap’p^qip^'} ^ = 0 (g)[^A(x, y)\(x,-x(y)) 

y=l \a:=l 


(5) 


IV. QUANTUM HOMOMORPHIC ENCRYPTION 

We introduce a symmetric-key quantum homomorphic encryption (QHE) scheme, consistent with the definition 
introduced by by Broadbent and Jeffery [^. The scheme is parameterised by a tuple of positive integers 7 = 
(b,r,t,n,m). Here r represents the number of qubits in the input, t the number of non-Clifford (T) gates supported 
by the encoding, n the length of the random error correction code used in the encoding and m the number of random 
ancilla qubits per logical qubit encoded. Finally, b represents the number of copies of the input that are encoded, and 
is used to amplify the success probability for evaluation of T gates. 

Our QHE scheme given explicitly in Cryptosystem comprises of key generation, encryption, evaluation and 
decryption algorithms. We denote the state to be encrypted as r e D{'H^G+t')G'j^ which is composed of b copies of the 
plaintext state Pinput together with bt magic states used to implement T gates via gate teleportation. The sequence 
of gates comprising the circuit to be evaluated is denoted as (Vi,..., Vd) G and the circuit to be evaluated 
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is 1/ = Vi.. - Vd- Here, each Vi is either a single-qubit Clifford gate, a single-qubit T gate, or a CNOT acting on a 
pair of qubits. Moreover, the quantum circuit V comprises of exactly t single-qubit T-gates. 

Now let /3 S [6] be an index labeling the /3-th copy, x G [r -|- t] be a row label within a specified copy, and 
row(,5, x) = [[i — l){r +1) + X denote the x-th row in /3-th copy. Using the singleton set = {row(/3, x)}, we define 
(i) the set ffmagic,/? = [Sx=r+i which labels the last t rows within the /3-th copy to be used for implementing 
the privacy homomorphisms of the T-gate, (ii) the set dfother,/? = \Sx=i^P,x which labels the rows within the /3-th 
copy used for the r data qubits, (iii) the set Xp = Xp^x which labels all rows within the /3-th copy, (iv) the set 

= U^=i which labels the x-th row of every copy, and (v) the set X^nagic = U^=i '^magic ,/3 which labels the 
last t rows of every copy. For our QHE scheme to work, we require that an input state r be prepared from b copies 
of Pinput having the form 


b / 

'T = (^ Pinput./3 C) 

/3=1 V 



[\T){T\]<^x,i) 


Here, Pmput,/? denotes the /3-th copy of pinput, and each pinput ,/3 has the explicit Pauli-decomposition 

Pinput,/3 = A(x,l)\{x,l) 

A^A^r,! ^^A’other,/3 


( 6 ) 


(7) 


for some real constants a a- Note that each r-qubit state Pinput.p in for all /3 G [&] is prepared as an 

independent and identical copy of Pinput 7 and every other input qubit is initialized in the magic state |T)(T|. 

In the encryption procedure of Cryptosystem 0 the quantum channel E : —)■ has the 

definition where 


£(t) = t ® 


' n+ra b(r+t) 


[7/2] (a;,y) 


y—2 x—1 


( 8 ) 


introduces n -|- m — 1 more columns to the system, initializing each newly introduced qubit in a maximally mixed 
state. For all x G [b{r + t)], the quantum information in each qubit on the x-th row in the first column is encoded 
into a quantum code via a unitary 


/^{x}x[n] ^{x}x[n]\ f^{x}x[n] ^{a:}x[n]\ 

■■■'^x,{l,n) jy^x,{2,l) ■■■^x,{n,l) ) ' 


(9) 


as depicted in Figure In our scheme, Ux is applied to the first n columns and puts the qubits in each row into a 
random quantum code. We denote this unitary operation as v 


U = 


( b r-\-t 

(g)(g)U,ow(/ 3 ,.) I ^[I]lb(r+t)]x[n+l:n+ra]^ 

P=1x=l 


( 10 ) 


Since each Ux encodes the first n qubits in the x-th row into a random quantum code, a random subspace of 
7 ^{ 2 ^}xH consistent with the encoding Ux, the resultant quantum information resides in a random codespace. For 
odd n, the logical X and Z operators for each logical qubit on the x-th row are encoded as X = Ul[X]^^^'^^^Ux and 

respectively, where the bar signifies that the same Pauli operator is applied to every physical 
qubit comprising that logical qubit. By using the commmutation relations 



? ? 5 5 


it is easy to see that for G G {X, Z} and for odd n, the corresponding logical operators have the form 

n 

Gx = = Ux[G]\^^^^^-^Ul = (g)[G](,,,). 

y=i 


( 11 ) 
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Cryptosystem 1 QHE scheme Q^, 7 = {b,r,t,n,m) 

K ■(— KeyGen^ 

p Enc^(«:, r) 

i> ^ EvalT,((Vl,. . . , Vd),^ 

(pout , /) ^ DeCj{K,i^) 


definitions 

p = 6(r + t) 


= 


(^{x}x[n 
\r+t 


)( 


^{x}x[n] ^{x}x[n' 

^-,(2,1) ’”^x,(n,l) 


u = cp(u+t)+. ® [/]bix[-+i-+™i 

end definitions 


^ for a; = 1,... ,p 


procedure KeyGen^ 

Pick K e Sn+m uniformly at random. 

return k 
end procedure 

procedure ENC.y(K, r) 

r ^ £{t) = T ® ((8)";r(8)Li 1^/21 (.,.)) 

Pk ^ P^p,n-^m{l^') 

T ^ UtU'^ 

return Pf^rP^. 
end procedure 

procedure EvAL.y((Pi,..., Vd), p) 
jy — p , (y, — 1 
for i = 1,... ,d do 

if Vi = where G € Q then 

^ (cr" XGT^ )t 

else if Vi = then 

else 

i' ^ 

a <— a + 1 

end if 
end for 
return ly 
end procedure 

procedure DEC.y(K, ly) 

b <— (r + t) 

Pk ^ Pp,n + m(/^) 
r' ^ U'^PivP^U 

for 13= 1,..., 6 do 
if t = 0 then cp <— 0 
else 

for i = 1,... ,t do 

C/ 3 ,i Measure r' with operator [Z]^p(r+t)-t+ip)■ 

end for 

Cp t— “ C/3,i)/2 

end if 
end for 

if min^ cp> 1 then 

return (Tr.j^y]x{i}T', 0) 
else 

Let a be the smallest integer such that Ca = 0. 

C ^ [(a ^l)(r + t) + 1 : (a — l)(r + t) + r] x {1} 

return (Tr.j^cr',1) 

end if 

end procedure 


> Generate symmetric key 


> Encryption 


> Evaluation 


> 1-qubit Clifford 

> CNOT 

> T gate 


> Decryption 


> Failure 


> Success 
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We also have the encoded Y operator, 


i{x,l) 






{x,l) 


(^[^](£c,y) — (^[^](a;.y)) 

y=i y=i 


( 12 ) 


where the last equality follows when n — 1 is divisible by 4. Similarly we get = ®^^i\X](x,y) = Y^- 

Thus the logical X, Y and Z operators of our random code on the a;-th row are just given by their corresponding 
transveral gates. These logical operators satisfy the usual commutation relations among themselves because 
commutation and anti-commutation are preserved under unitary conjugation. At this juncture, it is useful to observe 
the following property: the &(r-|-t)-qubit input state r in is mapped by the encoding operation £ to a density 

matrix £(t) with decomposition 


£(r) 


E 

VGA4b(r+t),l 

A=v[l,iO^] 


2&(T+t){n+m' 




(13) 


for suitable constants r^. We will use this property in Lemma to prove the security of our scheme. Now for all 
X S [b{r + t)] define 


Hx=(S> Sx=(S) (14) 

ye[n\ V&[n] 

It is easy to see that H^X^hI. = Z^, H^Z^hI. = X^, Since n — 1 is divisble by 4, we also have = 

Hx{i^XxZx)H^x = —Yx- Similarly, SxX^S^x = Yx, SxYxS\ = —Xx, and SxZxS\ = Y^x- Hence the non-trivial single 
logical qubit Clifford operations in the codespace on the x-th row are given by Xx,Yx, Zx, Hx, Sx- It also follows 
that the logical CNOT with control on the x-th row and target on the I'-th row is given by 


Cx,x' — ^ix,y),{x',y)' 

yeln] 


Since we have also shown that for n — 1 divisible by 4 and G S {X,Y, Z, H, S}, 

n 


(15) 


(16) 


y=i 


all logical Clifford gates using are transversal, that is, they are tensor products of identical operators over the columns 
of the qubits. A random permutation of the columns according to k then completes the encryption procedure of our 
quantum homomorphic scheme. 

To perform the evaluation, we require the definition of the following operators. For all distinct z and z' in [r -|- t], 
and for all G G Q, define the linear operators where 


b n+m b n+m 

^Eval _ r^]‘^/3X{i/} ^Eval _ /<^ /<^ 

'^z — VCy* VCy* l'-^J(row(/3,a:),i/)’ ^ ^ '-"(row(/3,a:),y).(row(/3.a;'),y)' 


(17) 


3=1 y=l 


3=1 y=l 


Let y^. = K([n]) label the columns where the encrypted data resides and let = [n -I- to] — y^. label the remaining 
columns. Also define 


and 


^code,K _ /0\ /<rX 

^z — l‘-"J(row(/3,z),y) 

/3=i yey^ 

b 

^z — ^ M(row(/3,z),y) 


[^](row(^/3,l),y),(row(/3,z'),i/) 

/3=1 yG^K 


b 

[^](row(^/3,l),y),(row(/3,z'),y)- 

yGT,, 


G! 


g: 


anCjK 

z.z' 


(18) 


(19) 
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FIG. 1: Figure shows qubits arranged on a grid with rows and columns with shaded circles representing data qubits, and 
unshaded circles representing ancilla qubits. A qubit in the x-th row and y-th column is addressed by (x,y). Within 
each row, the n data qubits are in a code and the m ancilla qubits are in the completely mixed state. There are r 
sets of codes, and b copies of such sets. The copies exist to ensure that there is a high probability that at least one 
of the copies implement the correct quantum circuit (see Lemma 3). Ux encodes the n data qubits in the a;-th row 
into a random quantum code. A random permutation of the columns completes the encryption procedure of our 

quantum homomorphic encryption scheme. 


Then we have the tensor product decompositions 


^Eval _ 




C hval _ 

z,z' — ^Z,Z' 


code^K 


C aiic,K 
z,z' ■ 


( 20 ) 


Note from eq. (17) that and (7^°,,,®’” admit a tensor product decomposition over b copies and hence 

h b 

^code,At ,_ ^code,/3,K; ^code,K, _ ^code,/3,/t 

0=1 ’ 0=1 

where 


y-^code,/3,K _ ^codie,0,K _ 

^z — ’ ^Z.z' — ^ ^(z.v).(z'.v)- 


yey^ 


z,z' \<_y '-'(z,y),{z',y)- 

v&y. 


We similarly define the operators 


where 


^code __ ^code,/3 ^code 


gcode,/3^ ^code. 


code,^ 




i/G[r! 


3=1 


ye[n 


c: 


{z,y)Xz',y)- 


( 21 ) 


( 22 ) 


(23) 


(24) 













































At this stage, it is not clear a priori that the Eval^ operator presented in Cryptosystem ^ results in the undiscarded 
copies, after the decryption procedure is applied, containing quantum data with V actually implemented. Such a 
circuit is in fact applied with high probability, as long as the number of copies b is sufficiently large as given in 
Lemma Since the evaluator only applies transversal gates, these gates must commute with the secret permutation 
of the columns of the qubits on the grid. Moreover the ancilla qubits are initialized in the maximally mixed state, 
which implies that the effect of the evaluator’s gates and after the columns are unpermuted is equivalent to 

applying operations [G] for every G € 0 and 0^^, C'J^w(S).y),(row(/ 3 ..'),s/) respectively. 

We prove this formally in Lemma 

Now the non-Clifford gate T can be implemented using via gate teleportation [38l [39]. Without a controlled 
quantum operation dependent on the output of a ^-measurement, the correct output is obtained with a probability 
of one half using the quantum circuits below. In the standard single qubit gate teleportation protocol, the 
^-measurement is performed on the data qubit, so to allow the measurement to be performed on the ancilla qubit, 
we can just swap the qubit back, which yields the second circuit below. Now the logical CNOT and the logical Z for 
our quantum code can be applied transversally. Hence the gate teleportation of the logical T operation which relies 
on these logical operations can also be performed transversally. All that is required for the correct implementation 
of the gate teleportation of the logical T-gate is that the outcome of the logical Z-measurement is 1. We note that 
the required measurement can be deferred until decryption due to the principle of deferred measurement [40) . 


|0) — H - T 


T\il}) with probability | 


|0) - H - T -m 




Z meas 


Z meas 


-T’ 1 ' 0 ) with probability \ 


Lemma 2. Let 7 = (&, r, t, n, m) he a 5-tuple of positive integers satisfying the constraints as given in Theorem 
Let K G Sn+m, T he given by and {Vi,...,Vd) G L{TU''^Y ® sequence of r-qubit unitary matrices, 
where every Vi is either from the set Q, a two-qubit CNOT, or a single-qubit T gate. Let (poutput,/) = 

If 


Dec. 


,(^K, Eval.y(^{Vi,... ,Vd), Enc.y{K,T)^'^ be the output of the decryption algorithm as given in Cryptosystem 


/ = 1, then 


Poutput — Vd ■ ■ ■ Vipinput 


Proof. For any subset I of [n -I- m], let k{T) = {K{k) : k G I}. Let £« = [b{r -\- 1)] x and let = [b{r -\- 1)] x y^. 
Note that for every r G we necessarily have Enc.y(K,T) = Pcode < 8 ) Pane, where Pcode G 0(71^'“) and 

Pane = denotes the maximally mixed state on the ancilla qubits. Let l^ne = lane = 

^j-^lb{r+t)]xln-\-i:n-\-m] (Jej^ote the identity operator over the encrypted and unencrypted ancilla qubits respectively. 

Note that for all unitary matrices R and R' in L{'H^'^) and L{'H^'^) respectively, and for any pcode G we 

have 


[R 0 R )(peode ® Paxic)i.R ® Rf^ — (Apeode.^^) ® Pane, 

It follows from (201 that for all distinct z and z' in [r -I- t] we have 

Gr^(Pcode 0 Pane)(Gf = (G^"®’Veode(Gr^’")t) ® p,„„ 

and 

G5^,^(Peode 0 Pane)(Gf-,^)t = Vcode(G:°t’")t) 0 Pane- 


(25) 

(26) 
(27) 


For all i G [d], let a{i) be the number of T gates in the sequence (Vi,..., Vi). From Cryptosystem 1, the evaluation 
unitaries , ■ • •, have the form 


, Vi = [CYc for some G G {A, Y, Z, H, S'} and z G [r] 
, Vi = G}’^, for some z, z' G [r] where z ^ z' 


r Gf 

y^Eval ^ ) (^Eval 

i for some z G [r] 

Now define Vf°^^ and 17,““’ where 


Z.Z 

nr.l 


(28) 



Z^Z' 

code,K 


^coae,K ^code,K 
^r‘+a(f), 2 ^ 2 ,r+Q; 


, Vi = [G]for some G G {A, Y, Z, H, Sj and z G [r] 
, Vi = CYz' for some z, z' G [r] where z z' 

(7 > y = for some z G [r] 


(29) 
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and 


V, 


axic,K 


^anc,K, 

^anc,K 

^anc,K ^cinCjK 

r+a(i),z z,r+a( 2 ) 


, Vi = for some G S {X, Y, Z, H, S} and z € [r] 

, Vi = Cl’^, for some z,z' G [r] where z ^ z' 

, Vi = for some z G [r] 


(30) 


Hence for every i G [d], 


TyEval 


T rCode,/t 


®Vi 


QIiC,K 


(31) 


Since the encrypted columns of ancilla qubits give the identities (261 and (27), we have 


^E.al ^ ^ ^ ^Eval ^ (^Eval)t . . . (yEval)t = ^ ^ ^ 


(32) 


which implies that applying the unitary Vf^^^ ... is equivalent to applying the unitary ^ ^ 1/]^°'*®’'^)®!^^^.. 

In the Heisenberg picture, the unpermuting of the columns of the qubits followed by implementing the quantum circuit 
W maps the evaluation unitary , y^code.K^ ^ 


p-\ ^^code,K -y-codejK, 


<Z Knc)P.U = (t/tpt(y-d- 


® K^JP.U) ... (t/tpt(y-<ie.. 


V- 

anc 


)P.U), 


where P^ = ^b(r+t),n+m{iP)- Now define the decrypted unitary operations 


^code _ 


g: 


for some z G [r] 


, Vi = [G]^^ for some G G {X, Y, Z, H, S'} and z G [r] 
, Vi = G}’^, for some z, z' G [r] where z ^ z' 


(33) 


(34) 


Clearly for every i G [d] , 




code,K ^ n K 


K^.)P = ® la 


Now define to be the identity operator on the first n columns of every qubit in the /3-th copy, except for the row 
with label row(/3, z). Similarly define tp^(z,z') to be the identity operator on the first n columns of every qubit in the 
/3-th copy, except for the rows with labels row(,5, z) and row(/3, z'). Then we have the block decompositions 


^code _ ^code,/3 yfcode _ ^code,/3 


3=1 


3=1 


where for each /3 G [&] we can write 


and 


QCj>de ,0 _ (g) 


^code,/3 _ ^ 
O ^ - O 1 


row(/3,z),row(/3,z') ® 1,3,(z,z') 


Observe now that we have the following cases. 


1. Case Vi = [G]|^^ for some G G {X, Y, Z, H, S} and z G [r]. 
Observe that 


uHv^ 


' lanc)G — I (^Gj^^^^^^^Gi.ow(/3,z)Grow(/3,z) O 1/3,zj j O lane — j (^) [G] 
\Vi O 


Xp X [n] 
(row(/3,z),l) 


3=1 

b 


./ 3=1 


(35) 

(36) 

(37) 


( 38 ) 
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2. Case Vi = Cl\, for some z,z' € [r] where z ^ z'. 
Observe that 


O lanc)b^ — j (^) ^(^row(^,z) ® ^row(/3,z') irow(/3,2') (t^row(/S,z) ® ^row(/3,z')) O j O ^-a 


3=1 

h 

8 

3-1 

b 

8 

,/3=l 


^ ^(row(/3,z),l),(row(/3,z'),l) I ® ^anc 


iCi 0 0la„c- 


(39) 


3. Case Vt = for some z € [r]. 

From the above two cases, it follows that 


C7t(C,= 


lanc)?^ = 



,Xi, X [■ 


a 


XfiXl 


(row(/3,r+a(i)),l),(row(/3,z),l) (row(/3,z),l),(row(/3,r+a(i)),l) 


(40) 


Hence 0 implements the correct decrypted Clifford operations. Subsequent measurement of 

the qubits with the observable Z in the first column in the rows Xmagic then completes the evaluation of the T gate 
teleportation. The copy Tg with every observable measured being +1 then implements all the T gates correctly, and 
hence that copy contains the correct quantum output Poutput = 14 ... VipinputVi ... 14 . □ 

Broadbent and Jeffery also require that a quantum fully homomorphic encryption satisfies two properties: 
correctness and compactness. Perfect correctness occurs when the evaluated output on the cipherstate after decryption 
is exactly the correct evaluated input. For all n — 1 divisible by 4, whenever Cryptosystem yields a success flag 
/ = 1, the corresponding pout satisfies perfect correctness because pout = VpV\ independent of the quantum circuit 
V . This is because each Clifford gate is implemented perfectly within our scheme, and the decryption algorithm 
outputs the copy with the correct T gates implemented when / = 1. Thus although Cryptosystem does not succeed 
in implementing T gates with unit probability, it can be said to have heralded perfect completeness: provided / = 1 
the correct unitary has been implemented. For constant t, the number of copies b need only be a large constant as 
given by Lemma in order to have a high probability of implementing the correct circuit. We emphasize that with 
even a single copy, we have constant probability of success; we simply use extra copies to amplify the probability of 
success. 


Lemma 3. Let n — 1 he divisble by f. For all positive integers t and all positive 5 such that 0 < S < 1, let 
b > (-y/ ~ 2 " + 1)^2^*. Then the probability of at least one of the b copies implementing the correct quantum circuit is 


at least 1 — <5. 


Proof. Without loss of generality we consider t > 1, since when t = 0 the probability of obtaining the correct circuit 
is trivially unity. Let c = — InJ. Since 6 > 1, we get the inequality 2“‘ > ^ > \/^ + For each copy, the 

probability of success is exactly 2“*, since the probability of implementing each T-gate successfully is 

For P G [ 6 ] let Xp be a Bernoulli random variable such that Pr[Jf^ = 0] = 2~* and Pr[X^ = 1] = 1 — 2~\ so that 
Xp = 1 indicates a failure to implement t single qubit T gates successfully. Then the probability of at least 6—1 
failures is 


S' = Pr[^ Xp > 6 — 1] < exp f — 
/3=i \ 


2((5-l)- 6 ( 1 - 2 -*))^ 


(41) 


where the inequality follows from Hoeffding’s bound [H]. Now ((6 — 1) — 6(1 — 2“*))^ = (6 — 1 — 6 + 2“‘6)^ = /(2“*) 
where f{x) = {bx — 1)^. Denoting f'{x) = ^f{x), observe that for all x > 1/6, f'{x) = 26^x — 26 > 0. This implies 
that /(x) is a strictly increasing function on the open interval (1/6, 00 ). Now 0 < 6 < 1 implies that c > 0, which in 
turn implies that 6 > 2* and 2“‘ > 1/6. Hence we get /(2“*) > /(\/^+ ^) = It follows that S' < exp(—c) = S. □ 
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The definition of compactness follows analogously from its classical counterpart. It requires that the complexity of 
Dec.y be independent of the evaluated circuit. Our QHE scheme satishes the compactness requirement if the circuit 
contains a constant number of T gates. In the three-part algorithm for Dec..y, W requires 2{n—X)h{r + t) gates, and P\ 
requires at most (n + m — l)b{r + t) gates (the largest cycle contained in any element of Sm+n is a {m + n)-cycle which 
can be written as a product of m -|- n — 1 swaps). The remainder of Dec-y involves a readout of Z measurements and 
discarding a subsystem. Since t is constant, b is also constant, and the total number of gates required for decryption 
is independent of d, the size of the circuit to be evaluated. Hence, our scheme is compact for circuits with a constant 
maximum number of T gates and unbounded Clifford gates. 

Randomly permuting the columns of qubits obfuscates the subset of columns where the quantum information 
resides, thereby encrypting the quantum data. This results in the trace distance between any two outputs being 
exponentially small, which we quantify and prove in Lemma Indeed Lemma implies that our scheme has (0,2e)- 
indistinguishability, where e is given in our Theorem]^ which is equivalent to strong (1,8e)—entropic security by 
Definition 4 and Theorem 3 of |42j . This notion of security for quantum encryption is stronger than that of security 
under chosen plaintext attacks where the adversary uses only classical inputs, as used in [36] . 

Lemma 4. Let n,m,p S Z+ and q = n + m. Let U = Ux 0 where Ux is defined in Also 

let £ be a quantum channel as defined in For all G D{nP’^), let p = U£{'i>)W and p' = U£{'it^fi Let 

P= I PpP^ arid p’ = A Epev.ASA 

||p-p'|ltr<2(4P-l)("^"') (42) 

Proof. Note that \\p — ^||tr = Tr(M (;0 — fi')) for some optimal Hermitian M diagonal in the same basis as p — pf, 
with eigenvalues equal to -bl or -1. More precisely, if p — p' has the spectral decomposition J2iAi\i){i\, then M = 
sign(Ai)|i)(z|, where sign(Ai) = I if A^ > 0 and sign(Ai) = —I otherwise. 

Given any A G define the set 5”^ = {cr = PaAP^ '■ P G (pp_q(S'q)} and the corresponding symmetric sum of cta 

as aA = denote At* as the set of all non-zero vectors in Mp.i- For all v G At*, we can have v[l„Om] G S, 

where S is some maximal subset of Mp^q such that for every A, B £ S, Ija dp- Let M = ^ ,(s,) PMPfi 

Then we can write M = for appropriate real constants oa- 

Linearity and cyclity of the trace give Tr(M(p — p')) = Tr(M(p — p')). Note that p — p' admits a decomposition 


P- 


E 

vest* 

/l=v[l„0„] 


r^J - 


2pq 


~0'A, 


(43) 


for appropriate real constants r^ and r^. Using this decomposition of p — p', the decomposition of M, the linearity of 
trace, and the triangle inequality, we get 

Up-P'11,, < 5] iTrasds^^'P^^aAl (44) 

ven* 

A=v[l„0„] 

Bes 

By orthogonality of the Pauli operators under the Hilbert-Schmidt inner product, we get 

||p-^|ltr< E \PraAfiA^-^P^p^crA\. (45) 

A^v[lnOrn.] 


Since M has eigenvalues with absolute value at most one, for any density matrix w G D('H^’'^), we must have 
|TrMa;| < 1 . Hence it trivially follows that |rv| and |r(,| are both at most I. It remains to obtain upper bounds 
on some of the |a^|, the absolute values of the coefficients of the symmetric Pauli decomposition of M. Moreover, 
Tr(M^) < 2P'^, which implies that for every v G H*, 


2^9 > Tr(M2) = Tr( ^ = Tr(^ a^a^) 

A.A'^S AeS 

+ mfi 


> Tr(c 






v[l„0„ 


2P9. 


This implies that |av[i„o„]l ^ Now |D*| = 4^* — 1, and the result follows from (45). 


(46) 

□ 
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Cryptosystem provides the four algorithms necessary to qualify as a symmetric-key quantum homomorphic 
encryption scheme and provides compact encoding and decoding algorithms, and hence in order to prove Theorem 
it suffices to prove the completeness and security properties. The completeness property follows directly from Lemma 
[Hand Lemma m 

To see how the security property follows from Lemma first note that for every positive integer N, we have 

V^N^+h-^ <N\<eN^+h-^. (47) 


From this, for m = an, we get 


n + m 
m 


> 


e^n"+5 77x™+5 

V^(l -k 


1 ^ /27r(l-ha) (1 -f 


\J ^^ + ^\ i+an- + ir 

\ 'n r\j 


(48) 


Hence 


/ _L \ “1/2 / \ 1/4 

2(4K^+*)-l)f” + ™) <4K^+*)(2e) f 

m ) V 27 r(^-kl) 


\2tt{- + 1)J a 


—m/2 


1/4 


= (“i“ T ‘" 4 + 


(49) 


and the security result follows. 


V. OPEN QUESTIONS 

This work has shown that it is possible to construct quantum cryptosystems which allows for evaluation of 
circuits containing a constant number of non-Clifford gates with entropic security. This can be seen as a significant 
strengthening of the results of Broadbent and Jeffery |36j . who introduced a scheme with privacy homomorphisms of 
quantum circuits with a constant T-depth which is secure under the same computational assumptions as classical FHE 
schemes. Indeed, the scheme of Broadbent and Jeffery can be information-theoretically secure by substituting the 
classical homomorphic encryption algorithm that they use for the Clifford gate computation with our scheme; however 
this would violate their compactness requirement. Moreover, our scheme trivially allows privacy homomorphisms of 
arbitrary reversible linear boolean circuits using the privacy homomorphisms of CNOT and X gates. 

This opens the door to several questions: 

1. First and foremost, is the question of whether quantum mechanics allows for unconditionally secure fully- 
homomorphic encryption. In the classical world, homomorphic encryption schemes for fixed depth circuits |43j 
foreshadowed the discovery of the first fully-homomorphic encryption scheme. Importantly, this scheme |27j 
made use of homomorphic encryption for fixed depth circuits in a fundamental way. The results presented 
in the current manuscript motivate the search for a quantum analogue of the bootstrapping approach used 
so successfully in m- This question can also be posed in a weakened form, to ask whether quantum fully- 
homomorphic encryption is possible under plausible security assumptions. 

2. A possible limiting factor to the search for a quantum FHE scheme is the existence of the no-go result of [37]. This 
result precludes fully-homomorphic encryption schemes, and indeed efficient homomorphic encryption schemes 
of any sort for which the cardinality of the set of homomorphisms is more than exponentially large, for which 
the accessible information from the ciphertext is exactly zero. The question then arises as to whether if this is 
requirement for zero accessible information is relaxed to allow up to exponentially small information (as in the 
present work), whether this no-go result still holds. We note that neither the results presented here, nor those 
presented in |36j present a counter-example to this conjecture, since the set of possible privacy homomorphisms 
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has only exponential cardinality. The current best known bound on this is given by [35) . which allows for a set 
of privacy homomorphisms which has greater than exponential cardinality. However, in that case, the accessible 
information scaled as a constant fraction of the encoded information. It remains an open question whether 
improvements can be made in either direction. 
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